Ever since the first version of Windows (XP) was introduced, Microsoft has designed the Windows operating system (OS) to use a pagefile (also referred to as virtual memory) to compensate for shortages of physical memory. The pagefile allows Windows to use hard disk space as memory. When the machine's physical memory begins filling up, pages of data are moved from physical memory to virtual memory as a way of freeing up memory.
Eventually, the OS needs to retrieve data from the pages of memory that were moved to virtual memory. Since Windows can't read the data directly from virtual memory, it moves additional pages to virtual memory, as a way of freeing up space in the machine's physical memory. The memory pages that are currently needed are then moved from virtual memory into the newly freed space in the machine's physical memory. This process is known as swapping or paging.
Although paging is a normal process performed by the Windows OS, there are several reasons why a pagefile can be considered a security risk. First, Windows does not automatically clear a pagefile when a user logs out, which means there is a good chance that copies of the user's files will still exist in the pagefile long after the user logs off. Windows security prevents users from logging in and browsing the pagefile, but there is nothing to stop a user from booting an alternate OS and using that OS to circumvent Windows security and browsing the pagefile.
There are some situations in which having access to a pagefile may mean the difference between gaining or not gaining access to restricted files.
For example, if a user's data is stored on a network share, having physical access to the machine won't really help someone access the user's files. Of course if the user has recently used those files, then copies of the files may reside in the pagefile.
Another example of a situation in which a pagefile can be used to breach security is in the case of encrypted files. Any time that Windows reads a file that was encrypted using EFS (Encrypting File System), the file is decrypted. As such, if a user accesses an encrypted file, then there is a very good chance that a copy of the file will be stored in the pagefile in an unencrypted format. When you combine this with the fact that the pagefile itself cannot be encrypted, you can see how this could be a security concern.
Disabling the pagefile
This raises the question of how you can prevent pagefile-related security problems. The only sure way to get around these security issues is to not use a pagefile at all. Windows relies on pagefile to compensate for shortages in physical memory. X86 systems support a 4 GB memory model. Therefore, if your machine has 4 GB of RAM, you can disable pagefile completely. If your system has less than 4 GB of memory, then Windows won't stop you from disabling pagefile, but the system's performance and stability may suffer if you do. I also do not recommend disabling pagefile if you are running a 64-bit version of Windows.
To disable pagefile on a computer running Windows XP:
- Open the Control Panel.
- Click Performance and Maintenance.
- Click System.
- When the System Properties sheet appears, select the Advanced tab.
- Click the Settings button found in the Performance section.
- When the Performance Options properties sheet is displayed, select the Advanced tab.
- Click the Change button found in the Virtual Memory section.
- Select the No Paging File option.
- Click OK, three times.
Disabling hibernation
Another way to reduce the risk of a pagefile-related security breach is to disable hibernation. When a computer goes into hibernation mode, the contents of the system's memory are dumped to disk in an unencrypted format, leaving data vulnerable to exposure.
To disable hibernation:
- Open the Control Panel.
- Click Performance and Maintenance.
- Click Power Options.
- When the Power Options properties sheet appears, select the Hibernate tab.
- Clear the Enable hibernation check box.
- Click OK.
Clearing the pagefile at shutdown
One last way that you can protect a system against a pagefile-related security breach is to configure Windows to clear the pagefile at shutdown. Clearing the pagefile takes time and prolongs the shutdown procedure, but it removes user data from the pagefile.
To configure Windows to clear the pagefile at shutdown:
- Open the Group Policy Object Editor.
- Navigate through the console tree to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
- Double click on the Shutdown: Clear Virtual Memory Pagefile option.
- Choose the Enable option.
- Click OK.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
